Broken Authentication

Broken Authentication in Go (Gin) Guide [GHSA-ccxc-x975-4hh9]

[Updated May 2026] Updated GHSA-ccxc-x975-4hh9

Overview

Broken Authentication vulnerabilities allow an attacker to impersonate legitimate users by stealing or guessing tokens, or by abusing weak session mechanisms. In Go applications using Gin, these issues often arise when tokens or cookies are not properly signed, scoped, or transmitted over TLS. If an attacker can obtain a valid session token, they can bypass login, access restricted resources, and potentially escalate privileges. In Gin-based services, you might see this as storing session state on the client without signing, reusing tokens across users, or using cookies with HttpOnly or Secure flags disabled. Poor token management (static secrets, long expiry, no rotation) and insufficient validation at each protected endpoint are common real-world patterns that enable account compromise or data leakage. This guide presents a general remediation strategy: separate code paths for vulnerable and fixed patterns, switch to signed tokens with strong keys loaded from environment, enforce HttpOnly and Secure cookies, validate tokens on every request, and monitor revocation and rotation. These practices reduce the risk of broken authentication in Gin apps without depending on vendor-specific features.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
	"net/http"
	"os"
	"time"
	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v4"
)

func main() {
	r := gin.Default()

	// Vulnerable endpoints
	r.GET("/vuln/login", vulnLogin)
	r.GET("/vuln/profile", vulnAuthMiddleware(), vulnProfile)

	// Fixed endpoints
	r.GET("/fix/login", fixLogin)
	r.GET("/fix/profile", fixAuthMiddleware(), fixProfile)

	r.Run(":8080")
}

// Vulnerable pattern: uses a hard-coded secret and insecure cookies
// and reads credentials via query parameters to illustrate a vulnerable pattern.
func vulnLogin(c *gin.Context) {
	username := c.Query("username")
	password := c.Query("password")
	if username == "admin" && password == "password" {
		token, _ := generateJWT(username, []byte("vulnsecret"), time.Now().Add(30*time.Minute))
		// Vulnerable: HttpOnly flag not set
		c.SetCookie("token", token, 1800, "/", "localhost", false, false)
		c.JSON(http.StatusOK, gin.H{"status": "logged in (vuln)"})
		return
	}
	c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})
}

func vulnProfile(c *gin.Context) {
	user, _ := c.Get("user")
	c.JSON(http.StatusOK, gin.H{"user": user})
}

func vulnAuthMiddleware() gin.HandlerFunc {
	return func(c *gin.Context) {
		token, err := c.Cookie("token")
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
			return
		}
		parsed, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
			return []byte("vulnsecret"), nil
		})
		if err != nil || !parsed.Valid {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
			return
		}
		claims := parsed.Claims.(jwt.MapClaims)
		c.Set("user", claims["sub"])
		c.Next()
	}
}

// Fixed variant: secret loaded from environment and HttpOnly cookie set
func fixLogin(c *gin.Context) {
	username := c.Query("username")
	password := c.Query("password")
	if username == "admin" && password == "password" {
		secret := os.Getenv("JWT_SECRET")
		if secret == "" {
			c.JSON(http.StatusInternalServerError, gin.H{"error": "server misconfiguration"})
			return
		}
		token, _ := generateJWT(username, []byte(secret), time.Now().Add(30*time.Minute))
		// Fixed: HttpOnly cookie set; Secure should be true in production TLS
		c.SetCookie("token", token, 1800, "/", "localhost", true, true)
		c.JSON(http.StatusOK, gin.H{"status": "logged in (fixed)"})
		return
	}
	c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})
}

func fixProfile(c *gin.Context) {
	user, _ := c.Get("user")
	c.JSON(http.StatusOK, gin.H{"user": user})
}

func fixAuthMiddleware() gin.HandlerFunc {
	return func(c *gin.Context) {
		token, err := c.Cookie("token")
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
			return
		}
		secret := os.Getenv("JWT_SECRET")
		if secret == "" {
			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "server misconfiguration"})
			return
		}
		parsed, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
			return []byte(secret), nil
		})
		if err != nil || !parsed.Valid {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
			return
		}
		claims := parsed.Claims.(jwt.MapClaims)
		c.Set("user", claims["sub"])
		c.Next()
	}
}

func generateJWT(username string, secret []byte, expiry time.Time) (string, error) {
	claims := jwt.MapClaims{
		"sub": username,
		"exp": expiry.Unix(),
		"iat": time.Now().Unix(),
		"iss": "gin-auth-demo",
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	return token.SignedString(secret)
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.